CVE-2025-71319
Analyzed Analyzed - Analysis Complete

Denial of Service in image-size Library via Zero-Sized Boxes

Publication date: 2026-06-09

Last updated on: 2026-06-15

Assigner: VulnCheck

Description
image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or HEIF image parsers by providing a crafted image containing a box with a size of zero, causing the offset to never advance and permanently hanging the application.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-09
Last Modified
2026-06-15
Generated
2026-06-30
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-28
NVD
CVE-2025-71319

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
image-size image-size to 2.0.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the image-size library versions 1.1.0 before 1.2.1 and 2.0.0 before 2.0.2. It is a denial of service issue in the findBox function that occurs when processing specially crafted images containing zero-sized boxes.

Remote attackers can exploit this by supplying malicious JXL, HEIF, or JP2 image files with box size zero, which causes the application to enter an infinite loop during image validation, leading to the application hanging.

Impact Analysis

The primary impact of this vulnerability is a denial of service condition. An attacker can cause the affected application to hang indefinitely by sending specially crafted image files.

This can disrupt normal operations, potentially causing downtime or unavailability of services that rely on the image-size library for image processing.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by monitoring for applications using the image-size library versions up to 2.0.2 that process image files, especially JXL, HEIF, JP2, or ICNS formats.

Detection involves identifying if the application hangs or the Node.js event loop is blocked when processing specially crafted images containing a zero-sized field in recognized box-types or zero-length entries.

While no specific commands are provided in the resources, general approaches include:

  • Using process monitoring tools (e.g., top, htop) to detect Node.js processes stuck or consuming CPU indefinitely.
  • Using network monitoring to identify suspicious image file uploads or downloads that could contain crafted images.
  • Testing image processing endpoints with crafted images containing zero-sized boxes or zero-length entries to see if the application hangs.
  • Reviewing application logs for errors or timeouts related to image parsing.
Mitigation Strategies

Immediate mitigation steps include upgrading the image-size library to a version later than 2.0.2 where the vulnerability has been fixed.

If upgrading is not immediately possible, consider implementing input validation to reject images with zero-sized boxes or zero-length entries before processing.

Additionally, applying patches or fixes from the official repository pull requests (such as Pull Request #439) can help prevent the infinite loop condition.

Monitoring and limiting resource usage of the image processing service can also help mitigate the impact of potential exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71319. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart